AWS · NoSQL Database
Amazon DynamoDB backup and recovery
Built for cloud teams
Recover Amazon DynamoDB tables to any point in time — without managing backup infrastructure. Air-gapped, immutable, and API-first from day one.
Storage tier
Restore type
Cross-region
Cross-account
01 · Why Clumio for DynamoDB
Why pick Clumio for DynamoDB
Native DynamoDB protection lives in your AWS account. PITR dies when the table dies, and AWS Backup‘s repeated full backups push TCO up as tables grow. Six capabilities address both problems, the same six that enterprise customers have used to cut their DynamoDB backup costs significantly after switching to Clumio.
RECORD-LEVEL RESTORE
Recover down to single items
Query Item Collections from a backup with partition-key and sort-key filters, preview the matched records, then download as CSV or share via Transparent Data Access. Skip rehydrating a whole table when you only need a handful of rows.
BACKTRACK
Partition-level in-place restore
Roll selected partitions of a live table back to a previous point in time using partition_key and sort_key filters. The table ARN, IAM, and Terraform state stay intact. Useful when a full restore would be overkill.
AIR-GAPPED VAULT
Survives source-table deletion
SecureVault backups live in Clumio’s immutable, out-of-account vault. Unlike PITR (which is destroyed when the source table is deleted, accidentally or maliciously), a SecureVault copy is intact even if the source account is compromised.
INCREMENTAL FOREVER
One seed, then only the changes
After the initial seed, SecureVault captures only what changed between backups. No repeated full copies, ever. Cost compounds the other way over time: the longer the retention horizon, the bigger the gap vs. AWS Backup’s full-copy model.
CONTINUOUS RPO
Near-zero data loss with PITR
Restore to any authorized AWS account or region, independent of the source account’s state. Supports disaster recovery and migration workflows.
GRANULAR BACKUP
Back up only the tables you need
Policies and tag-based protection rules pick specific tables across accounts and regions; one policy can cover many tables. No more all-tables-or-nothing decisions that inflate native backup spend.
New to Clumio?
Set up your AWS account first
This page assumes a connected AWS account and at least one protection group. If you haven’t done that yet, the Getting Started guide walks you through sign-up, account connection, and your first backup in under 15 minutes.
02 · Backup
How to back up Amazon DynamoDB
Apply a backup policy to your tables, either directly or through tag-based protection rules. One policy can drive both an air-gapped SecureVault backup and a Clumio-managed AWS Snap.
Create a backup policy
A DynamoDB policy defines frequency and retention for SecureVault backups, optional 15-minute RPO for point-in-time recovery, and optional Clumio-managed Snaps. The policy default is one backup every 6 hours with 3-day retention. Clumio enforces an hourly backup SLA on SecureVault regardless of the policy schedule.
Pick the right RPO, down to 15 minutes with PITR
The policy schedule sets the floor (e.g., every 6 hours). For tighter RPO, select 15-minute RPO on the policy. The mechanism uses Amazon DynamoDB Streams to capture incremental changes between scheduled backups, giving you the ability to restore to any timestamp within the retention window.
Point-in-time restore and partition-level Backtrack to an arbitrary timestamp both depend on the configured RPO. With 15-minute RPO, you can target any instant. With a coarser schedule, you can still restore from any SecureVault backup point or Snap in the calendar, but you can’t pick an exact instant between captures.
Choose your backup types (SecureVault, Snap, or both)
SECUREVAULT
Standalone, air-gapped copy stored in Clumio’s immutable vault outside your AWS account. Supports record-level granular restore, full-table restore, and cross-account / cross-region recovery. Survives source-table deletion.
CLUMIO-MANAGED SNAP
Native AWS snapshot taken by AWS and stored in your AWS account, with frequency and retention managed from the Clumio console. Fast operational recovery; same security sphere as the source table.
A single Clumio policy can drive both at once. Backtrack (partition-level in-place restore) operates on SecureVault data; arbitrary-timestamp Backtrack depends on the configured RPO.
Choose a region (in-region or out-of-region)
By default, Clumio stores SecureVault backups in the same region as the source table. You can target a different region for cross-region durability, which adds AWS data transfer cost. The destination region is set on the policy.
Apply the policy with protection rules
Once the policy is saved, use protection rules to apply it to tables. Rules can target tables by AWS tag (e.g., backup=tier1), by account, or by region, so newly created tables get protected automatically without manual assignment.
03 · Restore
How to restore Amazon DynamoDB
Every DynamoDB restore is a three-axis decision: when to recover from, what to recover, and where the recovered data should land. Pick one of each axis to define the restore.
WHENPick the recovery point
Three options: an exact PITR timestamp, a Snap, or a SecureVault backup point.
Pick any timestamp within the continuous-capture window. Clumio assembles the table state from DynamoDB Streams capture, useful for “rewind to right before the bad write” recoveries. Requires 15-minute RPO enabled on the policy.
Pick a specific SecureVault backup or Snap from the table’s protection calendar. Each colored dot represents one captured point. Use this when you want a known-good capture instead of an exact instant.
WHATPick the granularity
From individual records up to entire tables.
Query an Item Collection with partition-key (required) and sort-key (optional) filters. Preview matched records (up to 10, some fields masked), then download as CSV or send via Transparent Data Access with a passcode.
Roll selected partitions back in place using partition_key and sort_key filters. Preserves table ARN, IAM, and Terraform state.
Full table restore from a SecureVault backup or Snap, optionally with global secondary indices. Estimated restore cost is surfaced before you confirm.
WHEREPick the destination
Restore back into the source table, into an existing empty table, or land somewhere else entirely.
Roll selected partitions of the source table back to a previous state (same table, same account, same ARN). Two flavors: full-table point-in-time Backtrack, and partial Backtrack with partition_key / sort_key filters. Preserves Terraform state and downstream IAM bindings.
Restore to a new table in the same account, a different account, or a different region, with custom name, tags, and KMS encryption key. Or restore into an existing empty table (schemas must match) so Terraform-managed tables don’t end up orphaned.
05 · Common questions
Frequently asked questions
Questions from engineers setting up Amazon DynamoDB protection or troubleshooting restores.
How does Clumio for DynamoDB compare to AWS PITR or AWS Backup?
DynamoDB PITR is tied to the source table: if the table is deleted (accidentally or maliciously), the PITR window goes with it. PITR also doesn’t support cross-account restore. AWS Backup keeps logically separate copies, but every copy is a full backup, so storage cost grows linearly with retention. SecureVault sits in an immutable, air-gapped vault outside your AWS account. The backup survives even if the source table or source account is compromised and supports cross-account and cross-region restore. Customers running Clumio for DynamoDB have reported up to ~50% lower TCO vs. AWS Backup, mostly because SecureVault is incremental-forever after the seed instead of taking repeated full backups.
How does 15-minute RPO work?
When 15-minute RPO is selected on the policy, Clumio uses Amazon DynamoDB Streams to capture incremental changes between scheduled backups. You can then restore to any timestamp inside the retention window, not just the next scheduled capture. Streams must be enabled on the table for this to work.
Is there a minimum retention or required frequency for DynamoDB backups?
Clumio enforces an hourly SLA on SecureVault: at least one backup attempt per hour, regardless of policy schedule. The default policy is one backup every 6 hours retained for 3 days. You can tighten or loosen both per workload, but Clumio will continue to attempt hourly captures under the SLA. Clumio-managed Snaps are independent and follow whatever schedule and retention you configure on the policy; they’re taken by AWS and stored in your account.
Can I restore DynamoDB tables to a different AWS account or region?
Yes. Cross-account and cross-region restore are both supported for DynamoDB SecureVault backups. Pick the target account and region during restore setup. The target account must have a Clumio connector installed and trust established. Because backups live outside the source account, there’s no dependency on the source account being healthy, which is useful for ransomware and account-compromise recovery scenarios.
How granular can DynamoDB restores get?
Three levels. Record: query Item Collections from a SecureVault backup with a partition key (required) and sort key (optional), apply attribute filters, preview the matched records, and either download as CSV or share a download link via Transparent Data Access with a passcode for the recipient. Partition: roll selected partitions back in place via Backtrack using partition_key and sort_key filters. Full table: restore the entire table from any SecureVault backup or Snap, in place or out-of-place. Pick the smallest level that fits the recovery. Record-level avoids rehydrating the whole table when you only need a subset of items.
What does Backtrack do for DynamoDB?
Backtrack restores the source table itself (or selected partitions of it) back to a previous point-in-time, in place. Two flavors: full-table Backtrack returns the entire table to a chosen timestamp, and partial Backtrack uses partition_key and sort_key filters to roll back only the affected partitions, leaving everything else untouched. Both preserve the table ARN, IAM bindings, and Terraform state, so downstream resources don’t need rewiring. Arbitrary-timestamp Backtrack depends on the configured RPO. With 15-minute RPO, you can target any instant; with a coarser policy schedule, Backtrack still works against captured points on the calendar.
Will a Clumio restore create a new table or restore into the existing one?
Either, depending on which restore type you pick. Backtrack is in-place: it modifies the existing table. Full and partial restores can land in a brand-new table or, more usefully for Terraform/IaC users, into an existing empty table as long as the schemas match. That second option avoids leaving orphaned tables that aren’t tracked by your IaC state.
What’s the difference between a SecureVault backup and a Clumio-managed Snap?
SecureVault backups are stored in Clumio’s immutable, air-gapped vault outside your AWS account; they’re the right call for ransomware, account compromise, and long-retention scenarios, and they’re what Backtrack and record-level granular restore operate against. Clumio-managed Snaps are native AWS snapshots taken by AWS and stored in your AWS account, managed from the Clumio console; they’re fast for operational recovery but live in the same security sphere as the source table. A single Clumio policy can drive both. If you edit Snap frequency or retention from the AWS console directly, those changes override the Clumio policy settings, so manage Snap schedules from one place.
Related resources
Go deeper
Blog posts and reference material for teams building on Clumio Amazon DynamoDB protection.
Blog
How the Move to Clumio Delivered 66.7% Savings on AWS Backups
How xyzt.ai replaced native AWS snapshots with Clumio and cut backup spend by two thirds — applicable patterns for DynamoDB cost optimization.
Blog
Automating AWS Data Protection with Terraform and Clumio
How to wire DynamoDB backup policies, protection rules, and account connections from Terraform for GitOps-compatible automated protection.
Whitepaper
Secure, Immutable, Air-Gapped Data Protection with Clumio
A technical deep-dive into the vault architecture — per-customer isolation, immutability enforcement, and why the air-gap model outperforms account-resident backup for ransomware recovery.